In ACE load balance we are facing kerberos authentication issue. When we are accessing a server directly (10.1.8.62) its working fine, But when we are accessing with LB vip address (10.1.4.33) its asking authentication.
How we can resolve this issue.
The configuration as below:
access-list everyone line 8 extended permit ip any any access-list everyone line 16 extended permit icmp any any
probe http HTTP_PROBE port 80 interval 10 faildetect 5 expect status 200 200
rserver host iis1 ip address 10.1.8.61 inservice rserver host iis1a ip address 10.1.8.62 inservice
serverfarm host web rserver iis1 inservice rserver iis1a inservice
parameter-map type http Kerberos server-conn reuse case-insensitive persistence-rebalance set header-maxparse-length 65535 length-exceed continue
sticky ip-netmask 255.255.255.255 address both stickyRule serverfarm web
class-map type management match-any IIS-mgmt 201 match protocol snmp any 202 match protocol http any 203 match protocol https any 204 match protocol icmp any 205 match protocol ssh any 206 match protocol kalap-udp any 207 match protocol telnet any 208 match protocol xml-https any
class-map match-all slb-vip 2 match virtual-address 10.1.4.33 any
policy-map type management first-match IIS-mgmt class IIS-mgmt permit
policy-map type management first-match remote-access class class-default permit
policy-map type loadbalance http first-match slb class class-default sticky-serverfarm stickyRule
I looked at your configuration again and realized that ACE is not learning or doing anything at the HTTP level and hence no statistics. You have sticky based on the L3.
You have mentioned it works directly but through ACE it doesn't. The only difference i see is that client is getting natted here. If you test with only one server in serverfarm, does it work fine? Can you do capture on ACE itself so that we can see the communication between client and ace and server to see what is going on here?
Do you see anything when you do "show conn"? You can filter it with source/vip address. Is there any specific requirement from these servers which needs to be configured on ACE?
Introduction This article will help you understand the steps on how to
download the UCS licenses from the Cisco Systems website and then
installing it on the UCS. The redacted (blue lines) just covers up
certain numbers for privacy please do not take them...
Introduction This article will help you understand and educate the
customer on how to clear their "expired licenses"
(license-graceperiod-expired) from their UCS-M. If a customer just
purchased a license and needs a step by step guide on how to download
Introduction Prepositioning is a powerful tools on the WAAS platform but
it is not always easy to figure out why your jobs are failing when
trying to retrieve the files.Here is a method that should help you to
figure out the reason why they are not succes...